Not logged in » Login

Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now

Recent Discussion:

NickBown | 22.12.2018, 14:18
We have come across this issue as well, and don't seem to have found a way around it (the server is ...
NickBown | 20.12.2018, 18:40
Hi everyoneWe've got an RX2540 M1 which won't boot past the Fujitsu splash screen (which shows the i...
MarkM | 15.10.2018, 11:33
Hi there.I do not believe the Fujitsu policy on this subject has changed.So NO you can not order dri...
Apr 08 2014

Major Bug in OpenSSL [Update]

Administrators running OpenSSL to protect their mail and web servers need to fix a critical vulnerability included in the versions 1.0.1a to 1.0.1f and 1.0.2 beta 1 of the cryptographic library and related tools. According to experts from Google and Finnish security firm Codenomicon, attackers could exploit the flaw to obtain secret keys used to encrypt traffic, user names and passwords, and actual mail and message content.

Dubbed "Heartbleed Bug," the problem is basically a read overrun that may be used to reveal up to 64 kbit of memory from a connected server or client; the overrun itself is caused by "a missing bounds check in the handling of the TLS heartbeat extension," says the OpenSSL Project's official security advisory. The bug has been listed in the MITRE Corporation's Common Vulnerabilities and Exposures (CVE) database as CVE-2014-0160. Codenomicon for its part has launched a new web page to warn administrators about the flaw and possible consequences; their research revealed that the leak gives attackers access to four categories of material:

  • Primary key material, i.e. keys used to encrypt traffic that goes across SSL/TLS/DTLS connections – this is particularly critical if you use X.509 certificates and S/MIME
  • Secondary key material, such as user names and passwords
  • Protected content, that is, all content that was encrypted including emails, instant messages, documents/attachments etc.
  • Collateral, for instance memory addresses or information about existing security measures against overflow attacks that may be used to prepare follow-up raids on the same servers and/or company networks

The easiest way to fix the vulnerability is to upgrade to the latest OpenSSL version 1.0.1g, which addresses this and other security bugs. User of the beta version will have to wait for version 1.0.2 beta 2. Users of older versions – 0.9.8 and 1.0.0 respectively – are not affected.

Software that could be vulnerable to attacks includes Apache and nginx web servers, Postfix and Sendmail mail servers, and several Linux distributions including Debian 7.x (Wheezy) and later; Ubuntu 12.04 LTS, 12.10 and 13.10; and Fedora 19 and 20. Patches for these distros are available from the regular sources.

Administrators who are unable to upgrade their OpenSSL implementation at short notice can block the vulnerability by re-compiling their existing version using the OPENSSL_NO_HEARTBEATS flag.

 [Update 04-11-14:] In the meantime, more details about Heartbleed have been revealed:

  • Mass tests conducted after the disclosure showed that around 630 of the 10,000 most popular websites in the Alexa ranking were affected, among them the pages of Yahoo, Imgur, Flickr, Kaspersky and DuckDuckGo as well as those of several classic media outlets like the Rolling Stone music magazine or Switzerland's renowned Tagesanzeiger newspaper. Google and its related services, Facebook, Twitter, Paypal, Wikipedia and others were reportedly safe; others – such as LinkedIn, CNN, Apple and various Microsoft services (Bing, MSN etc.) – appear to not use any form of SSL/TLS.
  • Mobile operating systems seem relatively safe – Android editions up until v2.3 and from v4.1.2 onwards either use older OpenSSL code or have eliminated the heartbeat functionality; an app that checks if your Android is vulnerable is available from the Google Play Store. iOS and Windows Phone rely on proprietary crypto libraries.
  • Leading vendors of networking equipment such as Cisco and Juniper have launched massive product security tests, others may follow.
  • In an interview with The Guardian, the German developer Robin Seggelmann admitted that he had injected the Heartbleed bug into OpenSSL on December 31, 2011 by mistake and that later it had "slipped through the review process [...] into the released version." Seggelmann worked for the OpenSSL project from 2008 to 2012; he has since joined T-Systems as a solutions architect.The Guardian article also explains in non-technical terms what makes Heartbleed so dangerous: "When it works properly, a user's computer sends a Heartbeat packet to the server. The packet simply contains a chunk of random data, and a note saying how much data it's sent; the server receives the packet, and then sends back exactly the same data, confirming that it's listening. The problem which can be exploited in a Heartbleed attack involves the attacker's computer lying about how much data it has sent: it sends over a single byte of information, but tells the server that it has sent 64KB instead. The server makes a note, and knows that it has to send 64KB back, but doesn't have a full 64KB of data. What pushes the error into a full-blown catastrophe is that the server then fills the rest of the packet with any other information which [resides in] its memory at the time." A more detailed and technical explanation is available from The Register.



Comments on this article

No comments yet.

Please Login to leave a comment.